Re: [ClusterLabs] Cluster administration from non-root users

2016-06-17 Thread Auer, Jens 
Thanks a lot. Everything works as expected.
  Jens

--
Jens Auer | CGI | Software-Engineer
CGI (Germany) GmbH & Co. KG
Rheinstraße 95 | 64295 Darmstadt | Germany
T: +49 6151 36860 154
jens.a...@cgi.com
Unsere Pflichtangaben gemäß § 35a GmbHG / §§ 161, 125a HGB finden Sie unter 
de.cgi.com/pflichtangaben.

CONFIDENTIALITY NOTICE: Proprietary/Confidential information belonging to CGI 
Group Inc. and its affiliates may be contained in this message. If you are not 
a recipient indicated or intended in this message (or responsible for delivery 
of this message to such person), or you think for any reason that this message 
may have been addressed to you in error, you may not use or copy or deliver 
this message to anyone else. In such case, you should destroy this message and 
are asked to notify the sender by reply e-mail.


Von: Tomas Jelinek [tojel...@redhat.com]
Gesendet: Montag, 13. Juni 2016 14:32
An: users@clusterlabs.org
Betreff: Re: [ClusterLabs] Cluster administration from non-root users

Dne 13.6.2016 v 13:57 Auer, Jens napsal(a):
> Hi,
>
> I am trying to give admin rights to my clusters to non-root users. I
> have two users which need to be able to control the cluster. Both are
> members of the haclient group, and I have created acl roles granting
> write-access. I can query the cluster status, but I am unable to perform
> any commands:
> id
> uid=1000(mdaf) gid=1000(mdaf)
> groups=1000(mdaf),10(wheel),189(haclient),801(mdaf),802(mdafkey),803(mdafmaintain)
>
> pcs acl
> ACLs are enabled
>
> User: mdaf
>Roles: admin
> User: mdafmaintain
>Roles: admin
> Role: admin
>Permission: write xpath /cib (admin-write)
>
> pcs cluster status
> Cluster Status:
>   Last updated: Mon Jun 13 11:46:45 2016Last change: Mon Jun 13
> 11:46:38 2016 by root via cibadmin on MDA2PFP-S02
>   Stack: corosync
>   Current DC: MDA2PFP-S01 (version 1.1.13-10.el7-44eb2dd) - partition
> with quorum
>   2 nodes and 9 resources configured
>   Online: [ MDA2PFP-S01 MDA2PFP-S02 ]
>
> PCSD Status:
>MDA2PFP-S01: Online
>MDA2PFP-S02: Online
>
> pcs cluster stop
> Error: localhost: Permission denied - (HTTP error: 403)
>
> pcs cluster start
> Error: localhost: Permission denied - (HTTP error: 403)

Hi Jens,

You configured permissions to edit CIB. But it is also required to
assign permissions to use pcsd (only root is allowed to start and stop
services, so the request goes through pcsd).

This can be done using pcs web UI:
- open the web UI in your browser at https://:2224
- login as hacluster user
- add existing cluster
- go to permissions
- set permissions for your cluster
- don't forget to apply changes

Regards,
Tomas

>
> I tried to use sudo instead, but this also not working:
> sudo pcs status
> Permission denied
> Error: unable to locate command: /usr/sbin/crm_mon
>
> Any help would be greatly appreciated.
>
> Best wishes,
>Jens
>
> --
> *Jens Auer *| CGI | Software-Engineer
> CGI (Germany) GmbH & Co. KG
> Rheinstraße 95 | 64295 Darmstadt | Germany
> T: +49 6151 36860 154
> _jens.auer@cgi.com_ <mailto:jens.a...@cgi.com>
> Unsere Pflichtangaben gemäß § 35a GmbHG / §§ 161, 125a HGB finden Sie
> unter _de.cgi.com/pflichtangaben_ <http://de.cgi.com/pflichtangaben>.
> CONFIDENTIALITY NOTICE: Proprietary/Confidential information belonging
> to CGI Group Inc. and its affiliates may be contained in this message.
> If you are not a recipient indicated or intended in this message (or
> responsible for delivery of this message to such person), or you think
> for any reason that this message may have been addressed to you in
> error, you may not use or copy or deliver this message to anyone else.
> In such case, you should destroy this message and are asked to notify
> the sender by reply e-mail.
>
>
> ___
> Users mailing list: Users@clusterlabs.org
> http://clusterlabs.org/mailman/listinfo/users
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
>

___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Re: [ClusterLabs] Cluster administration from non-root users

2016-06-13 Thread Tomas Jelinek 

Dne 13.6.2016 v 13:57 Auer, Jens napsal(a):

Hi,

I am trying to give admin rights to my clusters to non-root users. I
have two users which need to be able to control the cluster. Both are
members of the haclient group, and I have created acl roles granting
write-access. I can query the cluster status, but I am unable to perform
any commands:
id
uid=1000(mdaf) gid=1000(mdaf)
groups=1000(mdaf),10(wheel),189(haclient),801(mdaf),802(mdafkey),803(mdafmaintain)

pcs acl
ACLs are enabled

User: mdaf
   Roles: admin
User: mdafmaintain
   Roles: admin
Role: admin
   Permission: write xpath /cib (admin-write)

pcs cluster status
Cluster Status:
  Last updated: Mon Jun 13 11:46:45 2016Last change: Mon Jun 13
11:46:38 2016 by root via cibadmin on MDA2PFP-S02
  Stack: corosync
  Current DC: MDA2PFP-S01 (version 1.1.13-10.el7-44eb2dd) - partition
with quorum
  2 nodes and 9 resources configured
  Online: [ MDA2PFP-S01 MDA2PFP-S02 ]

PCSD Status:
   MDA2PFP-S01: Online
   MDA2PFP-S02: Online

pcs cluster stop
Error: localhost: Permission denied - (HTTP error: 403)

pcs cluster start
Error: localhost: Permission denied - (HTTP error: 403)


Hi Jens,

You configured permissions to edit CIB. But it is also required to 
assign permissions to use pcsd (only root is allowed to start and stop 
services, so the request goes through pcsd).


This can be done using pcs web UI:
- open the web UI in your browser at https://:2224
- login as hacluster user
- add existing cluster
- go to permissions
- set permissions for your cluster
- don't forget to apply changes

Regards,
Tomas



I tried to use sudo instead, but this also not working:
sudo pcs status
Permission denied
Error: unable to locate command: /usr/sbin/crm_mon

Any help would be greatly appreciated.

Best wishes,
   Jens

--
*Jens Auer *| CGI | Software-Engineer
CGI (Germany) GmbH & Co. KG
Rheinstraße 95 | 64295 Darmstadt | Germany
T: +49 6151 36860 154
_jens.auer@cgi.com_ 
Unsere Pflichtangaben gemäß § 35a GmbHG / §§ 161, 125a HGB finden Sie
unter _de.cgi.com/pflichtangaben_ .
CONFIDENTIALITY NOTICE: Proprietary/Confidential information belonging
to CGI Group Inc. and its affiliates may be contained in this message.
If you are not a recipient indicated or intended in this message (or
responsible for delivery of this message to such person), or you think
for any reason that this message may have been addressed to you in
error, you may not use or copy or deliver this message to anyone else.
In such case, you should destroy this message and are asked to notify
the sender by reply e-mail.


___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org



___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

[ClusterLabs] Cluster administration from non-root users

2016-06-13 Thread Auer, Jens 
Hi,

I am trying to give admin rights to my clusters to non-root users. I have two 
users which need to be able to control the cluster. Both are members of the 
haclient group, and I have created acl roles granting write-access. I can query 
the cluster status, but I am unable to perform any commands:
id
uid=1000(mdaf) gid=1000(mdaf) 
groups=1000(mdaf),10(wheel),189(haclient),801(mdaf),802(mdafkey),803(mdafmaintain)

pcs acl
ACLs are enabled

User: mdaf
  Roles: admin
User: mdafmaintain
  Roles: admin
Role: admin
  Permission: write xpath /cib (admin-write)

pcs cluster status
Cluster Status:
 Last updated: Mon Jun 13 11:46:45 2016Last change: Mon Jun 13 11:46:38 
2016 by root via cibadmin on MDA2PFP-S02
 Stack: corosync
 Current DC: MDA2PFP-S01 (version 1.1.13-10.el7-44eb2dd) - partition with quorum
 2 nodes and 9 resources configured
 Online: [ MDA2PFP-S01 MDA2PFP-S02 ]

PCSD Status:
  MDA2PFP-S01: Online
  MDA2PFP-S02: Online

pcs cluster stop
Error: localhost: Permission denied - (HTTP error: 403)

pcs cluster start
Error: localhost: Permission denied - (HTTP error: 403)

I tried to use sudo instead, but this also not working:
sudo pcs status
Permission denied
Error: unable to locate command: /usr/sbin/crm_mon

Any help would be greatly appreciated.

Best wishes,
  Jens

--
Jens Auer | CGI | Software-Engineer
CGI (Germany) GmbH & Co. KG
Rheinstraße 95 | 64295 Darmstadt | Germany
T: +49 6151 36860 154
jens.a...@cgi.com
Unsere Pflichtangaben gemäß § 35a GmbHG / §§ 161, 125a HGB finden Sie unter 
de.cgi.com/pflichtangaben.

CONFIDENTIALITY NOTICE: Proprietary/Confidential information belonging to CGI 
Group Inc. and its affiliates may be contained in this message. If you are not 
a recipient indicated or intended in this message (or responsible for delivery 
of this message to such person), or you think for any reason that this message 
may have been addressed to you in error, you may not use or copy or deliver 
this message to anyone else. In such case, you should destroy this message and 
are asked to notify the sender by reply e-mail.
___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org